Wireless sessions may be renewed at regular intervals by using fast reconnect (fast re-authentication).
When a one-time password (OTP) authentication is performed, a session ID is assigned to the wireless connection. Fast reconnect uses that session ID to automatically re-authenticate the wireless connection rather than requiring user ID and OTP input from the user.
.png?sv=2022-11-02&spr=https&st=2026-04-01T22%3A51%3A10Z&se=2026-04-01T23%3A03%3A10Z&sr=c&sp=r&sig=kdXjpS%2Bh376oFKdjnpLKw%2BiAF%2Bfjw8Bmy818Zv%2Bgcfo%3D)
Figure: Fast reconnect (Overview)
Fast reconnect authentication process
During a fast reconnect operation, the authentication process proceeds as follows:
OneSpan Authentication Server identifies the client component. To allow fast reconnect, a record for the wireless access point that makes the fast reconnect request must exist in the data store.
OneSpan Authentication Server retrieves the policy to use from the component record.
OneSpan Authentication Server performs the following checks:
Windows username/domain resolution (if used)
Windows group check
Verify whether the user has a user account
Verify whether the user account is disabled or locked
(OPTIONAL) If back-end authentication and stored password proxy are enabled, OneSpan Authentication Server verifies the stored static password with another system (e.g. Windows or RADIUS).
The authentication result is audited and returned.
Roaming connections
Users are considered to be roaming if all of the following applies:
Multiple wireless access points are available.
The user may connect to more than one wireless access point.
The user will be moving from the range of one wireless access point to another.
A change from one wireless access point to the next can be made without inconvenience to the user if fast reconnect can be used between the access points.
Roaming connections are not supported over multiple OneSpan Authentication Server instances.
Fast reconnect will only work for roaming wireless connections if the following applies:
All wireless access points are sending authentication requests to the same OneSpan Authentication Server instance.
All component records for the wireless access points are using the same policy.
All wireless access points are configured to use the same SSID.
Figure: Roaming wireless fast reconnection
Limitations
Fast reconnect with OneSpan Authentication Server has the following limitations and caveats:
Clearing the OAS RADIUS TLS session cache on demand for a specific user, domain, device, or otherwise is currently not supported. This means that in some circumstances previously authenticated users or devices may continue to successfully perform fast reconnect even after the user credentials are changed, e.g., the static password. This may be possible until the respective TLS session expires, the TLS session expiry policy parameters are changed, or the OneSpan Authentication Server service/daemon is restarted.
Blocking fast reconnect for stolen or compromised devices
This limitation makes it difficult to immediately block fast reconnect for devices that have been stolen or compromised, which may impose a security concern in some environments. We strongly recommend to disable fast reconnect completely in such cases. You can do so, by setting the RADIUS > Maximum fast reconnect count policy setting to 0 via the Administrator Web Interface.
The RADIUS TLS session cache is currently not persistent. This means that all recently authenticated users and devices need to perform a full authentication with OneSpan Authentication Server after a service restart.
The RADIUS TLS session cache is currently not distributed across multiple OneSpan Authentication Server instances. This means that in multi-instance deployments, users may be required to perform a full authentication more frequently than is configured in the policy of the RADIUS client component in OneSpan Authentication Server.